CVE-2026-52902 - Vulnerability Details

- Awxkit: path traversal via yaml !include directive

Description

A path traversal vulnerability was found in awxkit, the CLI tool for AWX. The YAML !include directive does not sanitize file paths, allowing an attacker to craft a malicious YAML file that reads arbitrary YAML-formatted files from the local filesystem when a user imports it using "awx --conf.format yaml import". This is a client-side vulnerability requiring user interaction.

Published: 2026-06-09

Score: 4.7 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A path traversal flaw has been identified in the awxkit command‑line tool for Red Hat Ansible Automation Platform. The YAML !include directive fails to sanitize paths, enabling an attacker to supply a crafted YAML file that, when imported using "awx --conf.format yaml import", causes awxkit to read arbitrary YAML‑formatted files from the host filesystem. The vulnerability is client‑side and requires a user to execute awxkit against a malicious file; it does not permit code execution or denial of service. The flaw exposes the contents of any local file readable by the user, potentially leaking credentials or configuration information.

Affected Systems

The vulnerability affects all Red Hat Ansible Automation Platform 2 installations that include the awxkit component. No specific patch level is mentioned, so every instance of the platform that has awxkit installed and is capable of importing YAML files is susceptible.

Risk and Exploitability

The CVSS score of 4.7 indicates a low to moderate severity. No EPSS data is available and the flaw is not listed in the CISA KEV catalog, implying no publicly known exploits. Exploitation requires a malicious YAML file to be presented to a user who then runs awxkit, so the risk is limited to scenarios where insider or socially engineered access can be achieved. Nevertheless, reading arbitrary files can lead to credential compromise and internal data leakage.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor	Product	Default status	Versions
Red Hat	Red Hat Ansible Automation Platform 2	affected	—
Red Hat	Red Hat Ansible Automation Platform 2	affected	—

No data.

Vendor Product Confidence Versions

Redhat

Ansible Automation Platform

95%

Version	Status	Scheme	Platform
`—`	affected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Workaround

The following practices would help for avoiding exposure to this flaw: 1) Prioritize the default JSON import format instead of YAML. 2) Avoid importing YAML files from untrusted sources.

OpenCVE Recommended Actions

Only import YAML files from trusted, verified sources.
Prefer the default JSON import format for configuration imports.
Disable or restrict the !include directive in YAML parsing or use a sandboxed parser.
Upgrade Red Hat Ansible Automation Platform to a patched version when an official fix is released.

Generated by OpenCVE AI on June 9, 2026 at 11:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00012.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://access.redhat.com/security/cve/CVE-2026-52902
https://bugzilla.redhat.com/show_bug.cgi?id=2486729
https://nvd.nist.gov/vuln/detail/CVE-2026-52902
https://www.cve.org/CVERecord?id=CVE-2026-52902

History

Tue, 09 Jun 2026 12:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2026-52902 https://www.cve.org/CVERecord?id=CVE-2026-52902
Metrics	threat_severity `None`	threat_severity `Moderate`

Tue, 09 Jun 2026 10:15:00 +0000

Type	Values Removed	Values Added
Description		A path traversal vulnerability was found in awxkit, the CLI tool for AWX. The YAML !include directive does not sanitize file paths, allowing an attacker to craft a malicious YAML file that reads arbitrary YAML-formatted files from the local filesystem when a user imports it using "awx --conf.format yaml import". This is a client-side vulnerability requiring user interaction.
Title		Awxkit: path traversal via yaml !include directive
First Time appeared		Redhat Redhat ansible Automation Platform
Weaknesses		CWE-22
CPEs		cpe:/a:redhat:ansible_automation_platform:2
Vendors & Products		Redhat Redhat ansible Automation Platform
References		https://access.redhat.com/security/cve/CVE-2026-52902 https://bugzilla.redhat.com/show_bug.cgi?id=2486729
Metrics		cvssV3_1 `{'score': 4.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N'}`

Subscriptions

Redhat Ansible Automation Platform

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2026-06-09T09:33:40.154Z

Updated: 2026-06-09T16:09:38.839Z

Reserved: 2026-06-09T07:23:36.530Z

Link: CVE-2026-52902

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-06-09T10:16:44.830

Modified: 2026-06-09T13:49:39.993

Link: CVE-2026-52902

Redhat

Severity : Moderate

Publid Date: 2026-06-09T07:17:10Z

Links: CVE-2026-52902 - Bugzilla

OpenCVE Enrichment

Updated: 2026-06-09T20:15:06Z

Weaknesses

CWE-22

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object